% !TEX root =  main.tex

\subsection{ProSecO}
\label{sec:ProSecO}

\begin{figure}[t]
	\centering
	\includegraphics[width=\columnwidth]{./figures/ProSecO}
	\caption{ProSecO Y-Process}
	\label{fig:ProSecO}
\end{figure}

Besides access control analysis in \emph{SECTET}, Breu \etal then recognized the fact that 
``for a thorough security analysis not only the information objects but also the applications, business processes and the organization supporting the creation and processing of information have to be considered''.
So in \cite{10.1007/978-3-540-78942-0-8}, they proposed another overall security modeling and analysis framework, called \emph{ProSecO}. 

\smallskip\noindent \textbf{Security Concerns.}\hspace{0.5cm} 
The objective of the new framework \emph{ProSecO} proposed by Breu \etal is to handle
\emph{modularity}, \emph{traceability} and \emph{model-driven configuration of security services} in a \textbf{heterogeneous} environment due to stakeholders' various organizational structures,
security regulations and infrastructures.

The security concerns are defined as threats and risks in \emph{ProSecO}.

\smallskip\noindent \textbf{Modeling.}\hspace{0.5cm} 
\emph{ProSecO} defines Global/Local system meta-model for functional modeling, in which elements are classified along two orthogonal categories, \ie level of interaction and level of abstraction.
Besides it also defines another security metamodel which tries to cover general security objectives and detailed context-dependent security requirements.

After modeling modular components, system behaviors are modeled by identifying \emph{Dependency Graph} among those components and security concerns can be integrated in the dependency graph by annotating
on the specific components. 

\smallskip\smallskip\noindent \textbf{Transformation.}\hspace{0.5cm} 
\emph{ProSecO} doesn't provide enforcement infrastructure generation at the moment.

\smallskip\noindent \textbf{Analysis.}\hspace{0.5cm} 
In \emph{ProSecO}, users can only perform \emph{qualitative} security analysis on the \emph{Annotated Dependency Graph} by evaluating threats and risks and finally produce a risk evaluation report manually.
The modeling is supported by the toolset developed in \emph{SECTET}, but no tool support for security analysis and code-generation in \emph{ProSecO}.

Rigorously speaking, and according to the \mds definitions in \sect
\ref{sec:concept}, \emph{ProSecO} is not yet a mature \mds methodology. As we
assume the authors will continue developing their approach, we still
synthesize in \fig \ref{fig:ProSecO} \emph{ProSecO} as a \emph{Y-Process}. The
dashed rectangle in \fig \ref{fig:ProSecO} represents the fact that
tool-supported code generation is currently missing in the approach.

